Results 1 to 3 of 3

Thread: Win32 Api Creation == ?

  1. #1
    Banned shakuni's Avatar
    Join Date
    Aug 2007

    Win32 Api Creation == ?

    While researching for my book ("Malware : Writing Malicious Code"), I came across this-
    Some malware goes so far as to avoid importing any functions from available
    DLLs. Instead, it emulates all of the APIs it needs. This means that you cannot list the
    functions, so you cannot easily set breakpoints on them, as all API calls will just be
    a part of the malware code.In some cases, malware authors even use this to trap reverse engineers: they
    may import functions that are never used (having used the emulated ones instead).
    Now my question is-

    How can I emulate an API, for example, How can I write code that'll manipulate windows registry without using win32 api ? In other words, how can I write win32 api without using win32 api.

    While researching on web for this idea, all I found was either emulation of win32 api on linux boxes (wine etc.) or the "new" technology AVs that emulates win32 api to fool viruses.

    Please share any ideas you may have on the problem.

    Maybe these viruses use native api(s) to emulate win32 api, but I don't think so(for obvious reasons).

    or if you've heard of any virus that emulates API, give me its name. The rest (like, retrieving the API emulating code from the virus) I'll manage.
    Last edited by shakuni; March 23rd, 2008 at 03:03 PM.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    I am no expert in this area, but I would suggest you might look into "Rootkit Revealer" and how it works.

    My rather simplistic concept of how most of this stuff (to date) works is that it goes below the level of the API and feeds it bum data, so you don't see anything obvious?

    I believe that they operate at the raw data level of the Registry Hives etc.?

    I am pretty certain that you need to look at rootkits specifically for this type of malware. I have not heard of viruses, adware or other common crap that does it this way?

    Please look at RR, as I understand that it looks at the lowest raw data level and compares it to the API (highest level) to report discrepancies.

    Good luck

  3. #3
    Junior Member
    Join Date
    Mar 2008

    I would also looki into IceSword. I have been using it for about 3 years now and RootKits are my specialty at the moment. IceSword was developed for just that purpose. If you have any questions let me know.

Similar Threads

  1. Win32 Under the hood
    By journy101 in forum Other Tutorials Forum
    Replies: 2
    Last Post: July 27th, 2003, 03:16 AM
  2. Win32 GUI Programing
    By journy101 in forum Other Tutorials Forum
    Replies: 0
    Last Post: July 27th, 2003, 02:17 AM
  3. Win32 Getting Down and Dirty
    By journy101 in forum Other Tutorials Forum
    Replies: 2
    Last Post: July 26th, 2003, 11:35 PM
  4. Win32 API Programming with C (PART 2)
    By learning20 in forum Other Tutorials Forum
    Replies: 0
    Last Post: December 24th, 2002, 08:51 PM
  5. Introduction to Win32 programming using C/C++
    By learning20 in forum Other Tutorials Forum
    Replies: 1
    Last Post: December 19th, 2002, 07:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts